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rOQQ.ll The present application hereby claims priority under 35 U.S.C. S 1 19 on 
German patent application number DE 102 47 151.7 filed October 9. 2002. the entire 
contents of which are hereby incorporated herein bv reference 



Field of the Invention 

r00021 T he invention generally relates to a personal electronic web health log for 
storing, processing and using personal health data associated with a user. _ It 
PXCicmblY_i,ncludes having a data interface which can be used to set up a 
communication link. to contracting parties when required in order to transfer data from 
the health log to thern at least intermittently. 

Background of the Invention 

r00031 Patients and health-conscious consumers currently do not have a safe and 
guaranteed fneafts-wa^of discrete electronic access to their sensitive health data from 
all locations. The data are at a wide variety of locations on a wide variety of data 
levels. They can never entirely make their data personally available to third parties on 
the health market at any location at will for the purpose of acquiring knowledge, 
advice and health-promoting services. This would be enormous progress on a 
consumer-oriented health market, however. (For e-commerce, there is a related, 
extended solution Which is the subject of a parallel inventions application). 

[00041 Before the internet existed, the problem did not arise, since electronic 

presence and communication were not actually possible. In state-regulated health 
systems, the problem of communicating patient data has been discussed for more than 
five years on committees set up specifically for the purpose (e.g. the ATG and the 
ZTG in the Federal Republic of Germany), and there is no prospect of a networking 
solution. Methods which are customary at present, which are based on the current 
security structures from signature law, are confronted by the requirement for sensitive 
health data to be communicated over the Internet securely and with the highest level 
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of personality protection, .The method of officially guaranteed identity and the user's 
desire for personality protection are in conflict in principle. 

[00051 T he rights to the data and the options for action by the panics involved in 
the health system are also complicatedly regulated by a great variety of laws, which 
also differ nationally: T his m e ans thut hus. it is currently not even possible to regulate 
the data traffic between the institutions involved in the health service on a standard 
basis. There is even less prospect, it seems, of involving the patient, which would be 
highly desirable from a medical point of view. 

r0006] At the present time, a card (health pass) storing the most important data 
locally now appears to be in the process of becoming accepted- The currently known 
techniques use a privWe key infrastructure (PKI) which allows'secure transmission of 
information between authenticated parties. Identification of the parties involved and 
the existence of central directories give rise to two drawbacks; first, the patient is 
refused anonymous and soft transaction and consultancy developments. Secondly, the 
patient rightly feels that he is a glass person to state-controlled institutions. DB 101 26 
138.1-53 "Sabotage-proof and censorship-resistant personal electronic health file 1 * 
proposes a way of allowing patient files to be stored securely and untraceably on the 
Internet in data capsules. This technique as a partial solution is also useful for 
implementing the present invention, but is not sufficient to solve the problem posed. 

SUMMARY OF THE INVENTION 

r00071 Tte -An embodiment of the invention is therefore based on ifre-an object of 
designing a personal electronic web health log of the type mentioned initially such 
that it allows diverse processing and use of the personal health data on the consumer- 
oriented health market, while maintaining the highest possible standard of security for 
the data, 

100081 An embodiment of ff he invention achieves *his-an object by virtue of such 
a personal electronic web health log of the typo - men tion e d-iftitiftHy b eing 
characterized by a local health log on the user's computer with prestructured 
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electronic forms for inputting the personal health daia^-and -. Further, a tse-a converter 
mv be included , actuated using selection schemes, for producing encrypted data 
which are anonymous, so that they permit no inference as to the identity of the user, 
for addressed filing of at leasr some of the data on the Internet or the like. 

(00091 T he encrypted documents are based on standard formats which can be 
processed by any Internet browser and which have an internal security mechanism in 
such a form that a mechanism contained in the document asks the user for a password 
which can be used to decrypt the document. An example of such an encryptable 
standard document format is the PDF format from Adobe. It is equally possible to use 
encryption programs which produce self extracting files and for which the browsers 
contain a reader plug-in as standard, or can download one from the Internet when 
required, which initiates the password request. Such documents are suitable for 
problem-free hosting on the Internet, sending by e-mail and transport on data storage 
media. ' ! 

fOOlOl In this case, an embodiment of the invention uses apparatuses or services 
(web posters) which allow the user to post or to prompt posting of one or more 
anonymous documents on the web- Such uploading apparatuses (web posters) are 
known as FTP file transfer programs, e.g. WS_FTP from Ipswitch. For this, the user 
needs to have or to acquire access to one or more web domains. The anonymous 
encrypted documents each have an explicit web address (pseudonym ID). Neither 
these documents nor the anonymous documents which can be reached through them 
contain an identifying reference to the person behind them themselves. 

fOOin The relationship between the ID and the person is set up only by the person 
himself by virtue of the person using the ID. If he wants to make information which 
can be reached using the latter available to third parties, he should not unnecessarily 
reveal the pseudonym ID in so doing, All in all, neither does any central data storage 
take place nor does there exist a central directory connecting person characterising 
data and pseudonym data to one another. In principle, the method does not even 
require any person-cfraracterizing data to be stored at all, but ip practice this is 
advantageous. « 
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100121 In one refinement of an embodiment of the invention, provision can be 
made for a secure device for filing and finding the pseudonym TO under which the 
dara are filed in encrypted form on the Internet to be provided, so that the user is 
actually able to refind this pseudonym ID at all times, as fax as possible even when he 
is not sitting in front Qf his local computer, ^ 

s 

r00l3l T o this end, provision can be made, by way of example, for a web visiting 

card or an emergency ID which contains this pseudonym ID to be stored on the 
Internet, with these being able to be found only using an authentication device, that is 
to say a card, a password or the like, for example. 

rOOHl In general, such a personal access object can be apparatuses (e.g. unnoticed 
typing of codes which have been remembered or have been written down in secret, 
computer- readable storage media, such as diskettes, magnetic strip cards, devices 
containing passive chip cards and computers, such as smart cards, mobile devices ...) 
which the user can use to input his pseudonym ID and special passwords for 
encrypting the data in such a way as to be unseen by third parties* so that he can 
access his data on the Internet himself or can provide third parties with access to his 
data in bis presence using access objects. In the latter case, it is safer to download the 
encrypted document without displaying it on the screen and to use only the local copy 
so that the pseudo ID remains secret. For this operation, a new local password can 
also be allocated. The access object works most securely when it uses a dedicated 
computer for said operations. The access object can also comaih the encrypted file 
itself. 

[00151 A fundamental part of such a personal electronic web health log in 
accordance with an embodiment of the invention is a user interface, protected by an 
authentication device, for inputting and maintaining data, sft»4-the interface being able 
to e e mpris e include a keyboard and/or interfaces to card and label readers and/or to a 
remote controller, which is described in a parallel paienr application. The 
authentication devices can <*»mprift e- incliidc all conventional systems, such as 
passwords, code cards, sensors for detecting biometric features or the like. 
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[00161 The local health log comprioeo includes tables with chronological updating* 
free text fields and link elements, these link elements, which allow jumps to other 
places in the local health log> oiher documents and Internet addresses, being able to 
ef>fflfi4ae include , in particular: 

link elements for charts and images (e.g. X-ray, ultrasound etc.), 
link elements for fax and photo reproductions and also e-mails containing 
documents and connections to doctors, laboratories or the like having further data. 

room Such ready-made tables with chronological updating according to date are 
provided, by way of example, for 

occurrences, such as consultations with a doctor, particular own or other 
people's observations, 

standard measurements (weight, blood pressure, ECG. laboratory values, 
series of measurements with date) [ 

genetic-test data, screening data, cancer tesi, 

anamnesis, examinations and their results in coded form and/or in plain text 
and also in the form of images and graphs, 
inoculations, 
prescriptions, 

unlabeled, empty tables for further values. 

[0018] . Free text fields are provided for 

other facts for which the tables contain no fields, 

short profile with a description of previous history, inherited disposition, risks, 
intolerances. 

[00191 The link elements allow jumps to other places in the document, to other 
documents and Internet addresses, 

[00201 Link elements are provided for 

charts and images (e.g. X-ray, ultrasound, ...) j 
fax and photo reproductions of documents, 
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connections to rhc doctors and laboratories having further data. 

r00211 I n addition, there is a printable and e-mailable form to be filled in by hand 
or by computer by the doctor or patient, containing questions relating to the date of 
the occurrence, the reason, activities, result and systems. The unencrypted originator 
document (local health ]og) is continually maintained and therefore needs to be kept 
securely on an interchangeable storage medium, an encrypted partition of the hard 
disk or in encrypted form on the Internet. 

[00221 An important optional section of the health log is provided for tracking and 
documenting results of personal health programs. Such health programs, which 
comprise permanent guidance and monitoring of the patient/health consumer, are 
currently still the exception, but in future will play a large part- In this regard, an 
embodiment of -the invention provides: 

links to the health programs and services used in order to find them quickly at 
all times; the option is also provided of briefly documenting the scores, successes and 
failures on a continual basis and of using the results further. 

LOO 231 Optimally, links can be associated with health-related topics and goods and 
services, advantageously directly with the findings and measurements, images and 
charts, by filing the links belonging to the topics, goods and services, e.g. in the form 
of bookmarks for ihem, on the fields provided for this purpose in and next to the 
tables and free text fields in the local health log. ( 

f00241 T he selection schemes can comprise elements of a consistency check for 
the purpose of checking the data for obvious errors and inconsistencies. In particular, 
however, the selection schemes comprise filters which are valid for particular 
questions and which mark those data in the local health log which are important in 
this regard for targeted partial forwarding. 

fQ0251 In the simplest case, such schemes can effect subdivision such that they 
assign the data to respective appropriate medical areas, with the result that it is 
possible to make a data selection which comprises aj) the facts which are of interest to 
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an internist or else the data for the optician or for an orthopedist. It goes without 
saying that it is naturally also possible for other selection criteria to be provided in 
this context. The schemes can be defined heuristically or can be derived from 
recognized guidelines. They can be defined independently or obtained in completed 
forro. i ( j 

[0026] In another refinement of an embodiment of the invention, at least one 
anonymous encrypted health Jog which is downstream of the converter and can be 
connected to the netwojk via the Internet interface can be provided, in which names 
and communication data for doctors are suppressed as standard and discriminating 
illnesses or treatments (e.g. psychiatry, Aids, . are suppressed at the responsibility 
of the user, The anonymous health log(s) are then hosted as an anonymous web heaJth 
log on the Internet or the like. 

BRItiF DESCRIPTION OF THE DRAWINGS 

100271 Other advantages, features and details of the invention can be found in the 
description below of an exemplary embodiment and with reference to the drawing. 
wherein 

19028] The drawing wftigfr-shows a block diagram of a personal electronic web 

health log in accordance with an embodiment of the invention. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

[0029] The user uses the personal electronic web health log shown in the figure for 

the following methods in particular: 

£0030] Personal data, maintenance: method of using personal health software to set 

up a personal local electronic health log by filling in the available fields with already 
existing data and to maintain it further using data which continue to arise. The method 
also allows the data in the local health log to be filtered out as desired using schemes 
and allows the reduced data to be converted into an anonymous health log. The 
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anonymous health log contains no references allowing inference of the user in plain 
cexr. (The anonymous health log is encrypted and can be processed and decrypted 
using any browser provided that the user's personal password is known). The 
anonymous health log can be kept and transported using any methods, in particular 
can be hosted on the Internet by any hosts without risk. The user prompts his data to 
be hosted. The data can 'be read only with the password which is linked to the user. 

[00311 Following cor?sulration with or treatment by a doctor or when new 
knowledge or results comes/come to light, resultant results, facts, assessments, 
prescriptions and documents and images which are of importance for the future, and 
also links to the address of the doctor, are transferred to the health log. To this end, 
the computer has a card reader or an interface or at least a data import facility for 
reading a future health card associated with the user. Optionally, electronic labels 
used in future c an also be read. This allows data for consumable 'goods and 
medicaments to be collected and maintained. 

r00321 In one preferred embodiment, a "remote controller" can be used in 
conjunction with the inventive web health log. Besides the card reader and the label 
reader, this remote controller also comprises additional further input apparatuses and 
communication devices for easily collecting health related data both from medical 
appliances and medical products. 

personal data viewing worldwide: the user is able to view the data in the 
web health log anywhere' in the world where there is Internet access. He merely needs 
his personal access object in order to do so. In the simplest case, this aomprigos 
jncludcsjecords or recollection of the web address and the password. 

10034] Making health data available to others: method for providing a doctor or 

another natural person gi ving health advice with access to all of the information from 
the personal health log or to dedicated parts thereof by physically handing over an 
access object as stipulated, for a respective single time or over a fjreseribable period 
of time. 
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[00351 Strengthening contracts by irteafts -use of electronic signature; the 
anonymity of the web health log has the advantage that central censorship is 
prevented and that even cracking the encryption results in nonassociabJe data, and 
informative consultancy can be provided under a very high level of personality 
protection. By contrast, there is a desire for security for payment transactions and 
questions relating to the liability of the supplier or of the organization behind said 
supplier. In such cases, the known mechanisms for private elecironic signature can be 
applied on an adapted security level. In extreme cases, the signature will be necessary 
according to signature law. In all other cases, the user enjoys increased anonymity* 

r00361 Automatic logging of measurement and monitoring results and activities: 
monitoring, tablet taking directly into the log using the remote controller already 
mentioned above. 

fQ037T Services for assisting the user in performing his computer related activities: 
it goes without saying that a finished product has a user interface which contains the 
active parts from said components and summarizes and presents them such that the 
user understands the functions and processes and has little difficulty in doing what he 
wants. In all cases in which reference has been made to the patient, health consumer 
or user, the patient or user can also make use of neutral help services (health 
consultant, house doctor or others) assisting him in implementation. To this end, he 
can send, by way of example, the forms in the local personal health log to his health 
consultant, who produces the anonymous Internet presence therefrom, 

L0_Q3_81_ It is also advantageous for the user of a health service to host personal data 
on the network. It is thus possible to keep and provide all frequently required 
nonsensitive data and public keys and photos, always in updated form, using a web 
visiting card (or home page) merely by providing a personal web ID. This may also be 
an official citizen's ID with certified signature capability. There are also cases in 
which persona] data together with medical data should be released under light 
restrictions. These are emergency data, for example. While the "personal web ED" for 
the visiting card can be freely passed on and a password is not necessary, the ID in the 
case of the emergency access object should always be worn visibly on the body (e.g. 
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amulet, vehicle key ring, watch, personal ID, ...), and the password should not be 
visible and should be exposed only in an emergency. Another important use for the 
personal visiting card is the option of sending messages and passwords in encrypted 
form and of allowing signature (certifiable in stages) on a case by case basis (but the 
latter with step by step dropping of anonymity). 

r00391 It is important to provide good separation between personal and anonymous 
web spaces in order to prevent coincidences and attacks which could result in 
associations in this context. The data are collated personally only with and by the 
user, so that it is not possible to relate the personal data and the anonymous data 
without the user or his records or his FReanfr -way of access. 

r004Q] An embodiment of ffl ie invention represents a change of paradigm for the 
currently customary medical practice: it uses an identity for which one has one's own 
responsibility in parallel with the identity managed centrally and officially. The 
patient himself takes o$ the responsibility for his health and hen<je also, in his own 



interest, for the correctness of the identity details and the correctness of the content of 
the data supplied to him. It has thus been possible to dispense entirely with the central 
server architecture regarded as necessary hitherto, 

f 00411 T he benefit of an embodiment of the invention is that the patient/user is 
given power of disposal over his health data using the means of the invention. This 
power of disposal firstly allows him to inform his partners in health care in a better 
way, i.e. more extensively and specifically, and secondly allows him to take part in 
novel electronic transaction processes which can offer him significant added value for 
his health. The latrer aspect is the subject of a parallel patent application. 

rQ042] Specifically for such an electronic transaction process, the contractual 
module indicated optionally in the figure as well is provided and contains a series of 
standard contracts and contractual provisions which are of significance in this context. 

10-0431 T he statements made have assumed that the user makes his entries in his 
health log personally. He can also delegate these tasks to a person whom he trusts. In 
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comparable fashion tola tax consultant, this person undertakes r^e technical 
procedures for his client with a higher level of expertise, This practice, which is p*rt 
of an embodiment oTthe invention, does not change anything about the means of the 
invention. 

[00441 Exemplary e mbodiments being thus described^ it will be obvious tha^the 
same may be varied in many ways. Such va ri alio_ns_are not to be regarded as a 
departure from the spirit and scope of the present invention, and all such 
modifications as wo uld be obvious to one skilled in the art are intended to be included 
within the scope of the fo l)owinp claims. 



